icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

Remote Access Detection Report

by Megan Daudelin
April 8, 2016

Remote access capabilities are widely used for information technology support, collaboration, and data accessibility. Attackers can leverage remote access tools for malicious purposes, such as illegally exfiltrating proprietary data or spying on users. SecurityCenter is able to integrate with Nessus, the Passive Vulnerability Scanner (PVS), and the Log Correlation Engine (LCE) to monitor the use of remote access tools within an organization.

The Remote Access Detection report assists security teams with understanding remote access usage and vulnerabilities. Vulnerabilities and events related to standard remote access protocols, such as SSH, VNC, and RDP, are presented for review. The report also includes data about proprietary protocols such as pcAnywhere, Apple Remote Desktop, WebEx, Google Desktop, and GoToMyPC. Security teams can use this report in order to monitor the use of remote access in the environment and adjust policies and configurations as needed.

The chapters in this report utilize all collection methods from SecurityCenter Continuous View (CV). By using data from Nessus and PVS, the elements are able to identify systems capable of remote access. Nessus detects installed software, browser plugins, and other artifacts indicative of desktop control software to identify systems with remote access capabilities. PVS monitors network traffic to identify vulnerabilities and perform host, application, and operating system discovery using advanced packet analysis. LCE is used to log PVS events and track other remote access related events. One element uses the destination port filter, which shows common ports used for several protocols related to remote access to identify possible remote access activity. The traffic could be related to legitimate remote access, but should be investigated and monitored to determine whether malicious activity is occurring.

The report is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The report can be easily located in the SecurityCenter Feed under the category Threat Detection and Vulnerability Assessments. The report requirements are:

  • SecurityCenter 5.2.0
  • Nessus 6.5.4
  • PVS 4.4.0
  • LCE 4.6.1

SecurityCenter CV can identify vulnerabilities, and help eliminate blind spots on your network, such as systems capable of remote access. SecurityCenter CV uses Nessus and PVS to detect missing patches, incorrect configurations, lapsed defenses, incomplete monitoring, and network intruders. Tenable’s unique combination of detection, reporting, and pattern recognition leads the market place in Continuous Monitoring. By taking a proactive approach to continuous monitoring, SecurityCenter CV can identify critical risk across the entire enterprise.

The following chapters are included in this report:

  • Executive Summary: This chapter provides a high-level overview of the remote access use in the network. The presence and use of both standard protocols and proprietary software are monitored. The elements in this chapter can be used by security teams to monitor remote access tools over time.
  • Remote Access Detection: This chapter presents detailed information about remote access vulnerabilities, compliance, and remediation. The presence of vulnerabilities related to specific protocols or software is reflected through a set of indicators. The exploitability, CVSS score, and compliance status of vulnerabilities related to common protocols and tools are also presented. Additionally, detailed remediation instructions for vulnerabilities related to remote access are listed.